iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.
Netfilter is an infrastructure; it is the basic API that the Linux 2.4 kernel offers for applications that want to view and manipulate network packets. Iptables is an interface that uses Netfilter to classify and act on packets.Oct 10, 2001
Among the advantages of nftables over iptables is less code duplication and easier extension to new protocols. nftables is configured via the user-space utility nft, while legacy tools are configured via the utilities iptables, ip6tables, arptables and ebtables frameworks.
Netfilter is implemented in the Linux kernel as a framework that allows callback functions to be attached to network events. These callback functions can be implemented as kernel modules, thus allowing IPTables to inherit the flexibility of the Linux kernel module system.Feb 26, 2004
filter — The default table for handling network packets. nat — Used to alter packets that create a new connection and used for Network Address Translation (NAT). mangle — Used for specific types of packet alteration.
Now, nftables allows you to manage all families in one single CLI tool. This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.Jan 9, 2022
xtables-legacy are the original versions of iptables that use old getsockopt/setsockopt-based kernel interface. This kernel interface has some limitations, therefore iptables can also be used with the newer nf_tables based API.Aug 27, 2021
Although this sounds like no big deal, it indeed allows nftables to behave like iptables: While one could already create nftables base chains at the same hook points and priorities as iptables' built-in chains, with xtables matches and targets being available for use in nftables rules these may be created in a ...Jul 25, 2019